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1  Introduction 


Lax  logic  is  a  modal  logic  extending  intuitionistic  propositional  logic  with  a  single  modality  lax 
(CM)  satisfying  the  following  axioms. 

^004^04 

h  0(A  D  B)  d  (CM  3  OB) 

In  this  report  we  describe  two  simple  translations  of  lax  logic  with  multiple  modalities:  a  first-order 
translation  into  first-order  intuitionistic  logic  and  a  linear  translation  into  intuitionistic  linear  logic. 
We  show  that  our  translations  preserve  provability.  The  essence  of  these  translations  is  a  continu¬ 
ation  passing  style  (CPS)  encoding  of  the  lax  modality. 

Background.  In  its  propositional  form,  lax  logic  was  introduced  by  Mendler  et  al  [FM97]  as  a 
means  of  modeling  digital  circuits.  Subsequently,  a  first-order  version  was  developed  for  use  in 
constraint  logic  programming  [FW97,  FMW97].  The  semantics  and  proof  theory  of  lax  logic  are 
well  studied  [PD01,  FM97,  HowOl,  BBdP98,  GP06,  AMdPROl]  and  the  propositional  fragment 
is  decidable  [FM97,  HowOl].  Lax  logic  corresponds  (under  the  Curry- Howard  isomorphism)  to 
monads  from  functional  programming  [BBdP98]. 

Our  primary  interest  in  lax  logic  is  its  application  to  representing  decentralized  access-control 
systems  where  different  users,  machines,  programs,  etc  (abstractly  called  principals )  request  access 
to  secure  resources  like  files  or  devices  under  the  control  of  other  principals  such  as  administrators  or 
the  operating  system.  The  policies  governing  access  to  resources  are  formalized  as  logical  formulas 
in  a  suitably  chosen  logic.  Access  is  granted  to  a  resource  if  a  particular  proposition  such  as 
can_read(Bob,  foo.pdf)  is  provable  in  the  logic  from  the  given  policy. 

A  quintessential  requirement  on  a  logic  of  access  control  is  a  notion  of  statements  made  by  a 
principal  [ABLP93,  LABW92],  For  instance,  we  may  want  to  formalize  the  following  statements  in 
the  access  control  policy  of  a  file  system: 

-  Administrator  says  Bob  can  read  foo.pdf 

-  Administrator  says  that  any  user  X  can  read  foo.pdf  if  X  is  a  member  of  the  group  of  privileged 
users 

One  convenient  way  of  formalizing  such  statements  is  to  introduce  for  each  principal  K ,  a  modality 
( K)A  (read  “K  says  A”)  with  the  intended  meaning  that  K  says  that  A  is  true.  Then  the  above 
statements  can  be  encoded  as  follows. 

-  (administrator)can_read(Bob,  foo.pdf) 

-  (administrator) (VX.  privileged(X)  D  can_read(X, food.pdf)). 

Here  privileged(X)  is  a  predicate  indicating  that  X  is  a  privileged  user  and  can_read(Bob, foo.pdf ) 
means  that  Bob  is  allowed  to  read  foo.pdf. 

There  is  reasonable  flexibility  in  choosing  the  logical  rules  governing  the  modality  ( K)A  and  a 
number  of  proposals  have  been  made  [LABW92,  ABLP93,  Aba03,  GP06,  Aba06].  For  instance  the 
□  operator  from  modal  logic  K  can  be  used.  However,  more  recently,  an  increasingly  large  number 
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of  proposals  [GP06,  Aba06,  CCD+07,  GBB+06,  LLFS+07,  GA08]  have  chosen  (. K)A  to  be  a  lax 
modality,  with  the  rules  described  earlier: 

b  A  D  (K)A 

b  ( K)(K)A  d  (K)A 

b  (K)(A  D  B)  D  {{K)A  D  (K)B) 

With  these  rules,  the  access  control  logic  becomes  an  indexed  lax  logic,  with  one  lax  modality 
for  every  principal.  We  briefly  mention  the  merits  of  making  (. K)A  a  lax  modality,  referring 
the  interested  reader  to  existing  work  for  more  details  on  modeling  access  control  systems  in  the 
logic  [LABW92,  ABLP93,  GP06]. 

-  Owing  to  a  well  studied  proof  theory,  the  notion  of  proof  is  well  understood  for  lax  logic.  This 
is  crucial  in  access  control  systems  that  often  rely  on  the  existence  of  proof  of  a  certain  propo¬ 
sition  (like  can_read(Bob, foo.pdf))  in  order  to  grant  access  to  resources.  This  is  particularly 
the  case  with  proof-carrying  authorization  architectures  [AF99,  Bau03]. 

-  The  axiom  A  D  ( K)A  forces  every  principal  to  state  every  true  statement  A.  This  indicates 
that  proof  is  irrefutable  evidence,  i.e.,  if  A  has  a  proof,  then  every  principal  will  believe  it. 
This  is  not  the  case  in  a  number  of  modal  logics,  such  as  K. 

-  It  is  not  the  case  that  ((/F)_L)  D  _L.  Thus,  individual  principals  may  make  inconsistent 
statements  without  making  the  logic  inconsistent.  This  is  important  since  principals  may  be 
malicious. 

In  this  report,  we  present  a  translation  from  an  access  control  logic  with  lax  modalities  (called 
INLL  for  INdexed  Lax  Logic  here)  to  two  different  logics:  first-order  intuitionistic  logic  and  intu- 
itionistic  propositional  linear  logic.  We  show  in  each  case  that  the  translations  preserve  provability 
of  formulas.  In  particular,  we  prove  two  complementary  theorems  in  each  case:  soundness ,  which 
states  that  a  translated  formula  is  provable  only  if  the  original  formula  is,  and  completeness  which 
states  the  converse. 

The  main  motivation  for  studying  these  translations  is  automation  of  the  proof  search  procedure 
for  INLL,  which  is  central  to  implementations  of  access  control  systems  using  the  logic.  Rather  than 
prove  a  formula  in  INLL  (for  which  theorem  provers  are  not  known),  one  could  simply  translate  it 
to  (say)  first-order  logic  and  use  a  standard  theorem  prover.  Besides  automation,  our  results  are 
interesting  from  a  theoretical  perspective.  To  the  best  of  our  knowledge,  these  are  the  first  sound 
and  complete  translations  from  lax  logic  to  logics  without  any  modalities  (with  the  exception  of 
translations  based  on  explicit  encodings  of  Kripke  interpretations  at  first-order). 

Related  Work.  Our  translations  rely  on  encoding  the  lax  modalities  in  a  continuation  passing  style 
(CPS).  Our  translations  extend  a  complete  but  unsound  translation  from  lax  logic  to  propositional 
logic  proposed  by  Mendler  et  al  [FM97],  which  maps  Q)A  to  (rAn  D  C)  D  C,  where  C  is  a  fixed 
formula.  Special  cases  of  our  translations  suggest  that  soundness  can  be  recovered  in  two  different 
ways.  The  first  is  to  add  a  universally  quantified  parameter,  mapping  to  Vx.  (rAn  D  C(x))  D 
C(x).  The  other  possibility  is  to  allow  linearity  and  translate  O-^  to  (rAn  D  C)  C . 

It  is  well  known  in  functional  programming  that  all  monads  (the  Curry-Howard  equivalents 
of  the  lax  modality)  can  be  encoded  using  similar  CPS  transformations  [Fil89,  Fil94],  These 
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translations  preserve  equality  of  proofs  under  /3r/-reduction.  We  show  that  CPS  translations  of 
lax  modalities  also  preserve  the  existence  of  proofs.  This  expands  earlier  results  from  the  level 
of  proof  terms  to  the  level  of  provability.  The  correctness  of  our  linear  translation  critically  uses 
the  fact  that  continuations  arising  from  the  translation  have  to  be  used  exactly  once.  This  is  well 
understood  in  functional  programming  [DDP99,  BORT02,  Ber04]. 

There  is  rather  limited  work  on  translating  logics  for  access  control  into  simpler  logics.  We  are 
aware  of  only  one  substantial  effort  in  this  direction  [GA08].  However,  this  work  is  targeted  at 
modal  S4  rather  than  intuitionistic  logic.  Other  previous  work  on  translating  lax  logic  has  targeted 
intuitionistic  S4  [PD01]. 

Organization  of  the  Report.  Section  2  describes  the  syntax  and  proof-system  of  the  access 
control  logic  INLL.  Section  3  describes  the  translation  from  INLL  to  first-order  logic.  In  section  4 
we  modify  this  translation  to  obtain  the  linear  translation.  Section  5  concludes  the  report  with 
directions  for  future  work. 

2  INLL:  Indexed  Lax  Logic 

In  this  section  we  describe  indexed  lax  logic  INLL,  which  is  the  source  of  our  translations.  INLL 
extends  intuitionistic  propositional  logic  with  a  number  of  lax  modalities,  indexed  by  elements  of  a 
countable  domain  of  principals.  We  use  A,  B  to  denote  arbitrary  formulas  and  P  to  denote  atomic 
formulas.  The  letter  K  ranges  over  principals. 

A,  B  ::  =  P  |  A  D  B  \  A  AB  \  A  V  B  _L  \  T\(K)A 

The  axioms  governing  the  lax  modalities  ( K)A  have  been  described  in  section  1.  Both  natural 
deduction  and  sequent  calculus  presentations  of  the  proof  theory  are  known  for  this  logic  [PD01, 
FM97,  HowOl,  BBdP98].  In  the  following  we  describe  a  cut  free  sequent  calculus  from  an  earlier 
work  by  one  of  the  authors  [GP06]  to  an  extent  necessitated  by  further  discussion.  Details  of  the 
proof  theory  may  be  found  in  earlier  papers. 

The  sequent  calculus  for  INLL  is  presented  in  judgmental  style,  where  the  subjects  of  knowledge 
are  statements  about  propositions  called  categorical  judgments.  We  use  two  categorical  judgments: 
A  true,  meaning  that  proposition  A  is  true,  and  K  affirms  A  meaning  that  principal  K  states  that 
A  is  true.  Based  on  these  categorical  judgments,  we  construct  hypothetical  judgments  which  are 
the  subjects  of  proofs.  Hypothetical  judgments  take  one  of  the  following  two  forms: 

A\  true , . . . ,  An  true =7  B  true 
A\  true, . . . ,  An  true =>•  K  affirms  B 

The  judgments  A\  true, . . . ,  An  true  are  called  hypotheses  or  assumptions,  and  the  intended  mean¬ 
ing  is  that  if  these  judgments  hold,  then  the  judgment  to  the  right  of  =>  ( B  true  or  K  affirms  B) 
holds.  We  use  the  symbol  T  to  denote  a  set  of  hypothesis,  and  7  to  denote  the  judgment  on  the 
right  of  =>  when  its  exact  form  does  not  matter.  We  elide  the  judgment  name  true  from  A  true. 

Connectives  are  described  in  the  sequent  calculus  using  left  and  right  rules.  As  an  example,  the 
rules  for  implication  D  are: 

T,A^B  T,AdB^A  T,AdB,B^  7 

— - D  R  — - - - - - -D  L 

T7iDB  f,4DB77 
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Rules  for  the  connectives  A,  V,  T,  _L  are  standard,  and  may  be  found  in  Appendix  A.  The  rules  for 
(. K)A  are: 


T  =>  K  affirms  A 

r  =>  (k)a 


()R 


T,  ( K)A ,  A  =>  K  affirms  C 
r,  (K)A  =>  K  affirms  C 


0  L 


The  first  rule  states  that  in  order  to  establish  that  (. K)A  is  true,  it  is  enough  to  establish  that 
K  affirms  A.  The  second  rule  states  that  if  we  assume  that  ( K)A  is  true,  then  we  are  justified  in 
assuming  that  A  is  true  provided  we  are  trying  to  prove  a  goal  of  the  form  K  affirms  C.  Note  the 
accordance  of  principal  K  on  the  left  and  right  of  =>■  in  this  rule.  The  final  rule  connects  the  two 
basic  judgments: 


T  =>  A 

- affirms 

T  =>  K  affirms  A 

This  rule  states  that  if  A  is  true,  then  it  is  also  the  case  that  K  affirms  A.  Together  these  three 
rules  capture  the  lax  nature  of  the  modality  (K)A.  Appendix  A  summarizes  the  sequent  calculus. 
It  can  be  shown  that  this  sequent  calculus  is  equivalent  to  the  three  axioms  described  earlier,  and 
that  in  the  degenerate  case  where  we  consider  only  one  principal,  this  logic  reduces  to  lax  logic. 
The  following  cut  admissibility  theorem  was  proved  in  [GP06]. 

Theorem  2.1  (Admissibility  of  Cut). 

1.  IfT=>A  and  T,  A  =>■  7,  then  T  =4>  7. 

2.  If  T  =>-  K  affirms  A  and  T,  A  =>  K  affirms  B,  then  T  =>-  K  affirms  B. 


3  Translation  to  First-Order  Intuitionistic  Logic 

Now  we  present  the  translation  from  INLL  to  first-order  intuitionistic  logic  (FOIL).  The  syntax 
and  proof  theory  of  intuitionistic  first-order  logic  are  standard.  A  cut  free  sequent  calculus  is 
summarized  in  appendix  B.  We  write  S;T  =>•  A  to  mean  that  from  assumptions  T,  A  is  provable 
in  FOIL.  The  set  £  records  all  first-order  constants  occurring  in  T  and  A. 

Our  translation  (r-n)  is  described  in  Figure  1.  It  maps  all  intuitionistic  connectives  of  INLL  to 
themselves.  The  core  of  our  work  is  the  translation  of  ( K)A .  We  assume  the  existence  of  a  binary 
predicate  af  (K,x),  which  does  not  occur  in  INLL  formulas.  Its  first  argument  is  a  principal.  The 
second  is  assumed  to  have  an  arbitrary  fixed  type.  We  often  call  the  second  argument  a  nonce.  We 
define 

r(K)A~1  =  V.T.(rA”1  D  af (K,x))  D  af (K,x) 

This  resembles  a  CPS  transformation  of  the  lax  modality.  The  formula  rAn  D  af  (K,  x )  is  the  “type” 
of  the  continuation,  and  af (K,x)  is  type  of  the  result.  It  is  necessary  to  universally  quantify  over 
the  nonce  x  in  order  to  preserve  provability.  Figure  1  also  shows  the  translation  of  hypotheses  T 
and  sequents.  The  non-trivial  part  is  the  translation  of  the  sequent  T  =>■  K  affirms  A,  which  is 
defined  as  E,  a;  rrn,  (rAn  D  af  (K,  a))  =>•  af(A',  a)  where  a  is  a  fresh  constant. 

We  prove  two  complementary  correctness  theorems  for  the  translation.  Completeness  states  that 
whenever  a  formula  is  provable  in  INLL,  its  translation  is  provable  in  FOIL.  The  dual  theorem, 
soundness ,  states  the  converse.  Completeness  is  easy  to  establish.  We  only  need  to  show  that  each 
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r 

L 

=  P 

rAx  A  A2^ 

=  rAffi  A  rA2n 

rAx  V  A2^ 

=  rAffi  V  rA2n 

rA!  d  A2^ 

=  rAin  A  rA2n 

rTn 

=  T 

r_Ln 

=  _L 

r(K)A n  =  Vx.(rAn  A  a.f(K,x))  A  a.f(K,x) 


^T  =  {A1,...,Anffi 


rr  =►  A"1 

rr  =»  K  affirms  An 


S;rrn  =►  rAn 

S,a;rrn,  (rAn  D  af (K,a))  =4>  af (K,a) 


£  contains  all  constants  mentioned  in  T,  A  and  K . 


(a  fresh) 


Figure  1:  First-Order  Translation 


inference  rule  in  the  sequent  calculus  for  INLL  can  be  simulated  in  FOIL  after  translation.  The 
formal  proof  is  a  straightforward  induction  on  a  given  INLL  proof. 

Theorem  3.1  (Completeness).  Suppose  £  contains  all  first-order  constants  mentioned  in  F,  A 
and  K . 

1.  If  T  =>  A  in  INLL ,  then  £;  Tn  =►  rAn  in  FOIL. 

2.  IfT  =>  K  affirms  A  in  INLL,  then  E,  a;  rrn,  (rAn  D  af(/i,  a))  =>  af(A',  a)  in  FOIL  for  every 
fresh  constant  a. 

Proof.  See  Appendix  D.  □ 

Soundness  states  that  if  rrn  =>  rAn  in  FOIL,  then  T  =>■  A  in  INLL.  Establishing  this  theorem 
is  non-trivial.  Our  approach  is  to  identify  a  syntactic  class  of  FOIL  sequents  which  can  occur  in 
proofs  of  translated  INLL  sequents.  Then  we  define  an  inverse  translation  (l-j)  from  this  class  of 
sequents  to  INLL,  such  that  i_r-nj  is  the  identity.  Finally  we  induct  on  proofs  of  sequents  in  this 
class  to  show  that  their  inverse  translation  is  provable  in  INLL.  The  formal  soundness  theorem  is 
shown  below. 

Theorem  3.2  (Soundness).  Suppose  E  contains  all  first-order  constants  mentioned  in  T,  A  and 
K. 


1.  If  E;  T"1  =>  rAn  in  FOIL,  then  T  =>  A  in  INLL. 

2.  //£,a;rrn,  (rAn  D  af (K,a))  =>  af (K,a)  and  a  ^  £,  then  T  =>  K  affirms  A. 

Proof.  See  Appendix  E.  □ 

Importance  of  Nonces.  The  universally  quantified  nonce  x  in  the  translated  formula  Vx.(rAn  D 
af  (K,x))  A  af  (K,x)  is  essential  for  the  proof  of  soundness.  A  translation  without  the  nonce  is 
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unsound.  We  show  this  by  means  of  a  counterexample.  Suppose  that  we  omit  the  nonce,  so  that 
af  is  a  unary  predicate  expecting  only  one  principal  as  argument  and  define 


r{K)A n  =  (rAn  d  af (if))  D  af (K) 

Consider  the  INLL  formula  ((A  D  ( K)B )  D  A)  D  ( K)A .  It  is  quite  easy  to  verify  that  this  formula 
is  not  provable  in  general  in  INLL.  However  its  translation  is  provable  in  FOIL  for  any  A,  B  and 
K ,  as  the  following  derivation  shows. 


af  (if)  =*  af  (if) 


rAn  D  af  (if)  I,  G4n,  D  af  (if )  =>  af  (if ) 


Dl** 
D  R+ 


rA~l  D  af(/f),rAn  =>•  r(K)Bn  ^  ^ 

C4n  D  af {K)  =4>  rA  D  (K)B^  D  R  rAn  rAn  mit 

r((A  D  (K)B)  p  Ap\  rAn  D  af  (if )  =>  rAn  ^1 

r((A  D  (K)B)  D  Ay,\rA n  d  af  (if)  ^  af(if) 

r((H  d  { K)B )  D  Ap  =>  r(K)A~l 
■  =>  r((A  d  (I<)B)  DA)D  { K)A n  D  R 


af  (if)  =»  af(if) 


init 

D  L * 


In  each  application  of  the  D  L  rule,  we  have  put  the  principal  formula  in  a  box  .  This  proof  uses 
the  continuation  rHn  D  af(if)  twice:  once  in  the  rule  marked  *  and  then  in  the  rule  marked  **. 
If  we  used  a  universally  quantified  nonce  in  the  predicate  af  (if,  x),  this  proof  would  be  invalid 
because  the  goal  af(if)  generated  from  r(K)B~'  (rule  marked  +)  would  contain  a  fresh  nonce  that 
would  not  match  the  nonce  in  the  continuation. 


4  Translation  to  Intuitionistic  Linear  Logic 

The  counterexample  at  the  end  of  section  3  demonstrates  that  the  nonce  x  is  essential  in  the  first- 
order  translation.  We  now  describe  an  alternate  possibility.  Instead  of  adding  the  nonce,  we  could 
make  the  continuation  (rHn  D  af(if))  linear  forcing  it  to  be  used  exactly  once  in  the  proof.  The 
rule  marked  *  would  consume  the  continuation,  making  it  unavailable  in  the  rule  marked  **.  This 
would  invalidate  the  proof  and  eliminate  the  need  for  a  first-order  quantifier.  Formally,  we  translate 
INLL  to  propositional  intuitionistic  linear  logic  (ILL)  instead  of  first-order  intuitionistic  logic. 

There  are  several  presentations  of  intuitionistic  linear  logic  [dPH93,  CCP03,  Wad93,  Bar96].  We 
use  a  two-context  presentation  [CCP03,  Bar96].  Appendix  C  summarizes  the  syntax  and  semantics 
of  ILL.  The  judgment  T;A  A  means  that  under  the  linear  assumptions  A  and  unrestricted 
assumptions  T,  A  can  be  established.  The  assumptions  in  A  must  each  be  used  exactly  once. 
Those  in  T  may  be  used  zero  or  more  times.  We  use  the  symbol  — o  for  linear  implication,  and  D 
for  non-linear  implication.  One  may  think  of  A  D  B  as  being  (!A)  — o  B.  The  other  connectives  we 
need  are  &  (additive  conjunction),  0  (additive  disjunction),  T  and  0. 

Our  linear  translation  (fr-_n)  is  described  in  Figure  2.  For  intuitionistic  connectives,  our  trans¬ 
lation  mirrors  Girard’s  translation  from  intuitionistic  logic  to  linear  logic  [Gir87].  For  translating 
(. K)B ,  we  assume  a  unary  predicate  af(A')  whose  argument  is  a  principal  and  define 

r(K)B^  =  (^B1  D  af  (if))  af  (if) 
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n~p~n 

trB1  A  B2^ 
^Bx  V  B2~" 

B\  D  B2~n 
n — | — n 

rrj_~n 


P 

"LBi-"  &  ”~B2^ 

rs^er^) 

"" Bx 'n  D  [ri?2_n 
T 

0 


""(if)  S'" 

T  =  {A1)...)A»}"n 

rrp  =>  ^4-n 
=A  K  affirms  A~” 


("■51  D  af (K))  -o  af (if) 

n-r-n.  .  _j  ir^n 

"T"";  (r^-n  d  af(A-)  ^  af(A) 


Figure  2:  Linear  Translation 


Observe  the  use  of  — °  in  the  translation.  For  sequents,  the  interesting  part  is  the  translation  of 
r  =>  K  affirms  A,  where  the  continuation  (’’"A-"  D  af(if))  is  a  linear  assumption.  It  is  instructive 
to  check  that  by  making  the  translation  linear  in  this  manner,  the  counterexample  at  the  end  of 
section  3  no  longer  holds. 

Correctness  of  the  translation  is  established  by  proving  soundness  and  completeness.  It  is 
straightforward  to  establish  completeness  by  showing  that  each  proof  in  INLL  can  be  simulated  in 
ILL. 

Theorem  4.1  (Completeness). 

1.  If  F  =>  A  in  INLL ,  then  "T""}  •  rA^  in  ILL. 

2.  IfT=>  K  affirms  A  in  INLL,  then  [r^4~n  D  af (K)  af(A')  in  ILL. 

Proof.  See  Appendix  F.  □ 

Soundness  is  harder,  but  can  be  established  using  methods  similar  to  section  3. 

Theorem  4.2  (Soundness). 

1.  If  'rr_n;  ■  ^A^  in  ILL,  then  T  =>  A  in  INLL 

2.  If  D  af(A')  af(A')  in  ILL,  then  T  =>  K  affirms  A  in  INLL 

Proof.  See  Appendix  G.  □ 

5  Conclusion 

We  have  presented  translations  of  propositional  indexed  lax  logic  to  first-order  intuitionistic  logic 
and  intuitionistic  linear  logic,  and  showed  that  they  preserve  provability.  The  essence  of  our  trans¬ 
lations  is  a  CPS  encoding  of  lax  modalities.  We  conclude  this  report  with  a  discussion  of  extensions 
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and  future  work. 


First-order  and  linear  extensions.  INLL  is  a  propositional  logic.  Our  translations  can  be 
extended  to  extensions  of  INLL  with  first-order  universal  and  existential  quantifiers,  including  those 
over  principals,  by  mapping  these  quantifiers  to  themselves.  In  the  case  of  the  linear  translation 
this  requires  corresponding  connectives  in  the  target  linear  logic.  For  the  first-order  case,  one  must 
also  assume  that  the  type  of  nonces  is  fresh,  i.e.,  nonces  do  not  appear  in  INLL  formulas. 

It  is  also  possible  to  translate  a  linear  logic  with  indexed  lax  modalities  to  linear  logic  without 
any  modalities.  In  this  case,  every  linear  connective  is  mapped  to  itself,  and  (. K)A  is  mapped  to 
(tr^ui  af  ( X ) )  — o  af  (K).  This  is  interesting  because  applications  of  linear  logic  in  access  control 
have  been  studied  recently  [GBB+06,  BBG+07]. 

Future  Work.  An  immediate  subject  of  future  work  is  to  actually  use  our  translations  for  theorem 
proving  in  access  control  systems.  We  would  like  to  see  if  this  idea  scales  to  large  access  control 
policies  that  are  used  in  practice. 

On  a  more  theoretical  note,  we  would  like  to  use  our  translation  to  explore  Kripke  semantics 
for  lax  logic.  Since  Kripke  semantics  of  first-order  logic  are  well  understood,  we  should  be  able  to 
derive  semantics  for  lax  logic  using  the  translation.  It  would  be  interesting  to  explore  how  these 
relate  to  existing  Kripke  semantics  [FM97,  AMdPROl,  GAOS],  and  whether  these  derived  semantics 
have  some  practical  application  in  the  context  of  access  control. 

In  a  related  direction,  it  is  possible  to  obtain  translations  from  lax  logic  into  first-order  in- 
tuitionistic  logic  by  taking  existing  Kripke  semantics  and  encoding  their  accessibility  relations  as 
explicit  predicates.  It  would  be  interesting  to  see  if  these  translations  relate  to  ours  in  a  meaningful 
way. 
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A  INLL 

INLL  has  all  the  inference  rules  of  intuitionistic  propositional  logic: 

T,A,AaB^C  T,B,AaB^C 

INIT  - - - —  A  Li  - A  L2 


T,P  =A  P 


t,aab^c 


T,AaB^C 


A  T  ^  B 
r  =>  A  A  B 


A  R 


T  ^  A 
r  =>  A  V  B 


V  Ri 


T  ^  B 
r  =>  A  V  B 


vr2 


T,A^C  T,B^C 


r,4v  b^c 


VL 


T,AdB^A  T,AdB,B^C  t,a^b 

-  D  L  — - - -  D  R 


X  L 


r  ,adb^c  t^adb  r,  _l=>a  t=^t 

To  these  we  add  inference  rules  mirroring  the  left  rules  of  intuitionistic  propositional  logic: 


-TR 


T,  A,  A  A  B  =$>  K  affirms  C  ^  f 
T,  A  A  B  =>  K  affirms  C  1 


r,B,iAB=>  K  affirms  C  , 

- - - AL 

r,  A  A  B  =A  K  affirms  C 


T,A^C  T,  B  =A  I<  affirms  C  ^  ^  T,AdB^A  T,Ad  B,B  =>  K  affirms  C  ^ 


T,AVB^K  affirms  C 


T,AdB=>K  affirms  C 
_L  L' 


T,_L^  K  affirms  C 
Finally,  we  add  rules  connecting  the  two  judgment  forms: 

r  =>  A  r  =>  K  affirms  A  T,  IK)  A,  A  =»  K  affirms  C 

-affirms  - -  R  - - -  L 

—  —  '/  tu  /  ts-\  \  v  ts-  .  re _  /O  \/ 


r  =>  K  affirms  A 


r  =►  (k)a 


T,  (K)A  =$■  I<  affirms  C 


B  Intuitionistic  First-Order  Logic 

x;r ,a=>  c 

-INIT 


X;T,P^P 
X;T^,4  X;T^>P 


A  Li 


AR 


S;T,iAB^C 

X;T  =>  A 


X;  T  ^  A  A  B 

X;T  ,A^C  X;T,P^C7 
S;T,dVB^C 

X;TA  =►  B 

D  R 


VRi 


X;T,P  =>  C 
S;TA  AB  =*►  C 

X;T  =►  5 


A  L2 


VL 


X;  T  =>  ^4  V  P  X;  T  =$■  A  V  B 

T,;T,AdB^A  S;T,tDB,BAC 


vr2 


D  L 


S;TAiDB 


X;  T,  _!_=>■  A 


_L  L 


X;T,d  D  B  =>C 

X;T,Vx.A,  [t/x]A  =>  C 


X;T^T 


-TR 


x;r,Vx.^  =»  c 


VL 


X, a; T  =^- [a/x]^4  a^X 
X;  T  =>  Vx.^4 


X,  a;  T,  3x.t4,  [a/xl-A  =>■  C  a&Y,  Y,\T  =$■  \t  /  x\A 

VR  - A_XX - —  3L  — - l—^3R 


X;T,3x.A^  C 


X;  T  =>  zte.^4 
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C  Linear  Logic 

The  syntax  of  intuitionistic  propositional  linear  logic  follows: 

where  ranges  P  over  atomic  propositions. 

To  express  truth,  the  judgment  form  B  true  is  needed.  The  sequent  form  T;A  B  true 
expresses  hypothetical  judgments.  It  means  that  under  the  unrestricted  assumptions  T  and  the 
restricted  (linear)  assumptions  A,  B  is  true.  The  two  contexts  have  the  following  form: 

T  ::=  ■  |  T,  B  Unrestricted  Context 

A  ::=  •  |  A,  B  Linear  Context 

The  inference  rules  of  the  logic  are  as  follows. 


Judgmental  Rules 

T,  A;  A,  A  C  true 
T;  P  =4  P  true  T,  A;  A  C  true 

Multiplicative  Connectives 


-init 


-copy 


T;  Ai  =$  A  true  T;  A2  =1  B  true 
T;  Ai,  A2  A  <g)  B  true 


R 


T;  A,A,B  =4  C  true 
T;  A,  A  <g)  B  ^4  C  true 


T;  •  1  true 


-1R 


T;  A  C  true 
T;  A,  1  C  true 


-1L 


T;  A,  A  B  true 
T;  A  ^  A—o  B  true 


R 


T;Ai=iAtrue  T;  A2,  B  C  true 
T;  Ai,  A2,  A  —o  B  C  true 


'  L 


T,  A;  A  B  true 
T;A^AdB  true 


D  R 


T;  •  A  true  T;  A,  B  C  true 
T;  A,  A  D  B  ^4  C  true 

Additive  Connectives 


D  L 


T;  A  ^  A  true  T;A=iRtrue 
T;  A  =1  A  &  B  true 

T;  A,  B  C  true 

Sz  L2 


&R 


&Li 


T;  A,  A  &:  B  C  true 
T;  A  AB  true 


-TR  no  TL  rule 


T;  A,  A  C  true 
r;A,d&H  A  C  true 

T:  A  A  true 


T;  A  A®B  true 


r2 


T;  A  =1  T  true  T;  A  A  ©  B  true 

T;  A,  A  C  true  T;  A,  R  C1  true 


T;  A,  A  ©  B  C  true 
Exponential  Connective 


T;  A,  0  C  true 


Ri 


-0L 


T;  •  A  true 
T;  •  \A  true 


!R 


T,  A;  A  C  true 
T;  A,  \A  =1  C  true 


!L 
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D  Proof  of  Completeness  for  First-Order  Translation 


Before  proving  completeness,  we  must  prove  a  lemma. 

Lemma  D.l.  r[t/x\A~1  =  [t/x]r where  t  ranges  over  terms. 

Proof.  By  induction  on  the  structure  of  A.  □ 


Now  we  prove  completeness.  By  the  definition  of  rE,  T  =>■  7n,  this  may  be  shown  by  proving 
1.  if  E;  r  =>-  C,  then  E;  rr~l  =>  rCn;  and 


2.  if  E;  T  =7*  K  affirms  C,  then  for  any  fresh  a,  E,  a;  rTn,  rCn  D  af  (it',  a)  =4>  af  (it',  a). 

We  prove  these  statements  by  simultaneous  induction  over  the  derivations  T>  of  E;T  =>•  A  or 
E;T  =>  A'  affirms  C: 


Case:  V  = 


e;t,p  =7  p 


INIT 


1.  s;r,p  =>  p 

2.  S;rr,Pn  =7  rPn 


by  INIT 

by  dehnition  of  r-n 


Case:  V  = _  i  T 

E;T,T^  C  u 

1.  E;rTn,T^  rCn  by  TL 

2.  E;  rT,  Tn  =>  rCn  by  definition  of  r-n 


Case:  V  = _  ,  T  / 

E;  T,  T=>  A'  affirms  C 

1.  E,  a;  Tn,  _L,  rCn  D  af  (AT,  a)  =7  af  (A',  a)  by  TL 

2.  E,  a;  rT,  Tn,  rCn  D  af(A',  a)  =>•  af  (AT,  a)  by  definition  of  r-n 


Case: 


Pi 


V2 

A  E;r,ADB,B 


C 


E;T,A  D  B  =7  C 

1.  S;  rT,  ^4  D  Pn  =>  P4-1 

2.  £;rTn,P4n  =>  rPn  =►  r^4n 

3.  E;  rT,  A  D  B,Bn  =»  rCn 

4.  E;  rTn,  rAn  D  rP~\  rPn  =>  rCn 

5.  E;  rrn,  rA~l  D  rPn  =7  rCn 

6.  E;rT  ,AD  Pn  =7  rCC 


D  L 

by  i.h.  on  T> i 
by  dehnition  of  r-n 
by  i.h.  on  P>2 
by  dehnition  of  r-n 
by  DL 

by  dehnition  of  r-n 


Pi 


P2 


Case1  V  =  T,  A  Z>  B  =>■  E;  T,  A  D  B,  B  =$■  K  affirms  C 

E;T,4DB=i  AT  affirms  C 


DL' 


1.  E;  rT,  ^4  D  Pn  =>  rvln 

2.  E;rTn,rTn  D  rPn  =7  r7P 

3.  E,a;rTn,P4n  D  rPn,rCn  D  af(A»  =7  r^4n 

4.  E,  a;  rT,  A  D  B,  Pn,  rCn  D  af  (A',  a)  =>  af  (A',  a) 

5.  E,  a;  rTn,  rA~'  D  rPn,  rPn,  rCn  D  af  (A',  a)  =>  af  (it',  a) 

6.  E,  a;  rTn,  rAn  D  rP_l,rCn  D  af(A',  a)  =7-  af(A',  a) 

7.  E,  a;  rT,  A  D  Pn,  rCn  D  af  (if,  a)  =7  af  (A',  a) 


by  i.h.  on  T> \ 
by  dehnition  of  r-n 
by  weakening 
by  i.h.  on  X>2 
by  dehnition  of  r-n 
by  DL 

by  dehnition  of  r-n 
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By 

Case:  V  =  ^,T,A=>B 

Y,;T^AdB  ^ 

1.  E;rr,An  =>  rBn 

2.  E;  rrn,  rAn  =>  rRn 

3.  S;Tn  =>  ryTl  D  rSn 

4.  S;Tn  =>■  r A  D  B"' 


by  i.h.  on  T>i 
by  definition  of  r-n 
by  by  =)R 
by  definition  of  r-n 


Case:  V  = 


2. 

3. 


Case:  £>  = 


2. 

3. 


V! 

E;  T  =>  C 

E;  T  =>  A  affirms  C  affirms 

Tn  => 

by  i.h.  on  T>\ 

a;  rTn,  rCn  D  af  ( A,  a)  =>  rCn 

by  weakening 

a;af(A',  a)  =4>  af(A',  a) 

by  INIT 

a;  rrn,  rCn  D  af(A',  a),  af(if,  a)  =>-  af(if,  a) 

i  by  weakening 

a;  rrn,  rCn  D  af  ( A',  a)  =>  af  ( A,  a) 

by  DL 

V! 

E;T  =>  K  affirms  C 

2;T  =>  {K)C  »R 

a;  rrn,  rCn  D  af  (A',  a)  =4>  af  (A',  a)  where  a 

is  fresh  by  i.h.  on  T>\ 

a;  rrn  =>  (rCn  D  af(A',  a))  D  af(if,  a) 

by  DR 

rrn  =>  Vx.(rCn  D  af(if,  x))  D  af(if,  x) 

by  VR  (a  is  fresh) 

rTn  =►  r(/f)Cn 

by  definition  of  r- 

Case:  £>  = 


Vx 

_  E;  T,  ( K)A ,  A  =>  if  affirms  C 
E;  T,  ( K)A  =>  if  affirms  C 


<>L 


1.  E,  a;  rr,  (K)A,  An,  rCn  D  af(if,  a)  =>  af  (A,  a) 


by  i.h.  on  X>i 

2.  E,  a;  Tn,  r(if  )An,  r7P,  rCn  D  af  (if,  a)  =>  af  (if,  a) 

by  definition  of  r-n 

3.  E,  a;  rT^,  r(K)A^,  rCn  D  af  (if,  a)  =>  rAn  D  af  (if,  a) 

by  DR 

4.  E,  a;  rTn,  r{K)A~[ ,  (ryC  D  af(if,  a))  D  af(A",  a),  rCn  D  af  (A,  a)  =4>  rA~1  D  af  (A,  a) 

by  weakening 

5.  E,  a;  af(if,  a)  =>  af(if,  a) 

by  INIT 

6.  E,  a;  rrn,  r(if)An,  (ryln  D  af(if,  a))  D  af(A",  a),  rCn  D  af  (if,  a),  af  (if,  a)  =>  af(if,  a) 

by  weakening 

7.  E,  a;  rrn,  r(if)yln,  (rAn  D  af(if,  a))  D  af  (if,  a),  rCn  D  af(if,  a)  af(if,  a) 

by  DL 

8.  E,  a;  Tn,  Vx.(r7P  D  af(if,  x))  D  af  (if,  x),  (ry4n  D  af(if,  a))  D  af(if,  a),rCn  D  af(A",  a) 

af(if,  a) 

by  definition  of  r-n 

9.  E,  a;  rTn,  Vx.(rAn  D  af(if,  x))  D  af(if,  x),  rCn  D  af(if,  a)  =>  af(if,  a) 
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r  pleasant  L  pleasant  T  pleasant 

pleasant  r^C1”1  pleasant  T,af  (K,t)  pleasant  T,  rCn  D  af(A,  t)  pleasant 

T  pleasant 

T,  (rCl_l  D  af  (K,t))  D  af  (K,t)  pleasant 
Table  1:  The  formal  definition  of  pleasant. 


10.  E,  a;  rTn,  r(K)A'1,  rCn  D  af  (K,  a)  =>  af  (K,  a) 

11.  E,  a;  rT,  (K)A'1,  rCn  D  af  (if,  a)  =►  af  (AT,  a ) 


by  VL 

by  definition  of  r-n 
by  definition  of  r-n 


E  Proof  of  Soundness  for  First-Order  Translation 


E.l  A  Lemma 


Before  we  can  prove  soundness,  we  need  to  define  a  few  forms  in  which  various  terms  may  be  found. 
We  define  these  forms  to  focus  our  attention  on  only  those  formulas  that  can  arise  from  proving  a 
the  translated  sequent. 

•  Let  the  proposition  D  be  called  (K,t)-nice  if  it  has  the  form  rCn,  af(A",  t),  rC'_l  D  af (K,t), 
or  (rC~l  D  af (K,t))  D  af (K,t). 

•  Let  the  proposition  A  be  called  ( K,t)-mean  if  it  has  the  form  af  (K",t"),  rB n  D  af 
or  (r£n  D  af {K",t"))  D  af (K",t")  where  K"  ±  K  or  t"  +  t. 

•  Let  a  hypothesis  context  T  be  called  pleasant  if  T  is  empty  or  T  has  the  form  P,  E  for  some 
proposition  E  where  T7  is  pleasant  and  E  has  the  form  rCn,  af (K,t),  rCn  D  af (K,t),  or 
(rCn  D  af (K,t))  D  af (K,t). 

Pleasant  is  more  formally  defined  in  Table  1. 

Lemma  E.l.  Let  V  be  a  derivation  of  E;T,  A  =$■  D  where  D  is  ( K,t)-nice ,  T  is  pleasant,  and  A 
is  ( K,t)-mean .  There  exists  a  derivation  V  o/E;T  =>•  D  that  is  a  shorter  or  equal  in  length  to  V. 

Proof.  Now  we  simultaneously  induct  on  the  given  derivation  T>  for  all  values  of  K  and  t. 


Case:  V  =  . 


INIT 


E;T,  A  =>  D 

Since  D  is  (K,t)- nice,  it  ranges  over  rCn,  af (K,t),  rCn  D  af and  D  af (K,t))  D 
af (K,t).  Since  A  is  (K,t)- mean,  A  cannot  be  equal  to  D.  Thus,  D  is  in  T  and  E;T  =>  D  by 


INIT. 
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Case:  ID  — _  i  "p 

X;T,  A  =>  D  ^ 

A  cannot  be  _L  since  A  is  (K,t)- mean.  Thus,  _L  must  be  in  T  and  X;T  =4-  D  follows  in  one 
step  by  _LR. 


Case:  DR 


Subcase:  V  =  S;  r.  A  ^  D  af  (V.t)  ^  af  (g,  t) 

E;r,/1  =>  (rCn  D  a[(K,t))  D  af  (K,t) 

r,rCn  D  af  (A,  t)  is  pleasant,  af  (A,  t)  is  (K,  t)-nice,  and  A  is  (A,  f)- mean.  Thus,  the 
i.h.  applies  to  T>\.  By  the  i.h.  on  T> i,  X;T,rCn  D  af  (A,  t)  =>■  af  (A,  t)  has  a  derivation 
TD[  with  a  length  less  than  or  equal  to  that  of  T> Make  V  by  extending  V[  with  DR 
to  prove  X;T  =>  (rC'~l  D  af (A,  f))  D  af (A,  t).  Since  V  is  one  step  longer  than  V i,  V\  is 
equal  to  or  less  than  T>\  in  length,  and  T>'  is  one  step  longer  than  E[,  V  is  equal  to  or 
less  than  T>  in  length. 

Subcase:  V  =  gill  AXXtAlM  — ,  R 

E:I  .4  ^  ~(P  af(A.  t)  J 

By  the  i.h.  on  T> i,  S;T,rC'_l  =>  af (K,t)  has  a  derivation  T>[  with  a  length  no  greater 
than  that  of  T>\.  Make  V  by  extending  T>[  with  DR  to  prove  X;  T  rCn  D  af  (K,t)  in 
no  more  steps  than  T>. 

Subcase:  V  =  ^  A,  rEn  =4>  rFn 

X;T,A  =*  rE n  D  rFn  J  n 

By  the  i.h.  on  T> i,  X;  T,  rE~l  =>  rFn  has  a  derivation  E[  with  a  length  no  greater  than 
that  of  T>\.  Make  T>'  by  extending  E[  with  I)R  to  prove  X;  T  =>  rAn  D  ri?_1  in  no  more 
steps  than  V. 


Case:  When  dL  is  the  last  rule  in  V,  either  A  can  be  principal  or  not. 

Subcase:  A  is  principal.  In  this  case,  A  has  the  form  rB~l  D  af (K",t")  or  (rBn  D 
af(K",t"))  D  af  (K",t")  where  K"  /  K  or  t"  /  t  since  A  is  (A,  f)-mean.  That  is 
A  is  of  the  form  E  D  af(A"",  t")  where  E  is  either  rBn  or  rB n  D  af(A ",  t").  Either  way, 
V\  T>  2 

T)_X;T,Ed  af  (A",  t")  E  X;  T,  E  D  af(A",  if'),  af(A",  t")  D  t 

X;T,Ed  af (K",t")  =>  D  D  L 

T,ai(K",t")  is  pleasant.  By  the  i.h.  on  T> 2,  X;  T,  af  (A",  t")  =^-  D  has  a  derivation  V2 
with  a  length  no  greater  than  that  of  E\.  Since  T>2  is  no  greater  in  size  than  V2  and 
af is  (A,  t)-mean,  we  may  select  af (K",t")  as  A  and  again  apply  the  i.h.  This 
yields  that  X;T  D  has  a  derivation  of  T>2  with  a  size  no  greater  than  that  of  T>2. 
Since  T> 2  must  also  be  no  larger  than  V2,  which  is  smaller  than  T>,  we  are  done. 

Subcase:  A  is  not  principal.  In  this  case  the  principal  formula  must  be  in  T.  Since  T  is 
pleasant  and  the  principal  formula  is  an  implication,  it  must  have  one  the  following 
forms:  rE~'  D  rFn,  rAn  D  af(A',f'),  or  (rAn  D  af  (Ah  h))  D  af  (Ah  h).  First,  we 
consider  when  the  principal  formula  has  one  of  the  first  two  forms.  Second,  we  consider 
when  it  has  the  last  form. 
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Subsubcase:  Let  B  range  over  rF~'  and  af  (K' ,t'). 

T>i  V  2 

v  =  S;  T,  rE n  ^  B,A^  rE n  S;  T,  rEn  D  B,B,A^  D  ^ 

E;r,rAn  D  B,A^  D  D  L 

rAn  is  (K,  f)-nice  and  T,rAn  D  B  is  pleasant.  By  the  i.h.  on  V  i,  E;r,rAn 
rAn  has  a  derivation  B[  with  a  length  no  greater  than  that  of  T>\ .  T,  rAn  D  B,  B 
is  pleasant.  By  the  i.h.  on  T> 2,  E;T,rAn  D  B,  B  =4-  D  has  a  derivation  B2  with  a 
length  no  greater  than  that  of  B2 .  Make  B'  by  combining  B[  and  B2  with  dL  to 
prove  E;  T,  rE~>  D  5  =t  D  in  no  more  steps  than  V. 

Subsubcase:  The  only  remaining  case  is  when  principal  formula  has  the  form  (' ~E^  D 
af  (K\t'))  D  af (K',t').  This  means  that  V  has  the  form 


_ Ti _ T2 _ 

E;  T,  ( rE n  D  af(K',  t '))  D  af  (K',  t'),  A^D 


D  L 


where  E\  = 

E;  T,  ( rE n  D  af D  af  (K',t'),  A  =>  rAn  D  af  (K',t') 

and  Eo  =  ^2 

E;  T,  (rAn  D  af  (AT',  t'))  D  af  (A',  t'),a.f(K',  if),  A^D 
Since  A  is  (K,  f)-mean,  A  must  have  one  of  the  following  forms  af  rBn  D 

af or  (rBn  D  af (K",t"))  B  af  (K",t")  where  K"  ^  K  or  t"  /  t.  We  now 
consider  two  cases: 

Subsubsubcase:  K"  =  K’  and  t"  =  t'.  Since  K ’  ^  I\  or  t'  ^  t ,  af (K',t')  is 
( K ,  f  )-mean.  We  may  use  the  i.h.  on  T> 2  to  delete  A  and  produce  a  derivation 
T> 2  of  E;  T,  (rAn  D  af(iL/,  V))  D  af(A"',  V),  af  (K\  t ')  =>  D  that  is  no  longer  than 
B 2-  Since  af is  also  (A,  f)-mean,  the  i.h.  may  be  used  again  on  T> 2  to 
produce  a  derivation  V2  of  E;T,  (rAn  D  af  (K',t'))  D  af  =>  D  that  is  no 

longer  than  B2  or  B2.  B2  is  the  needed  derivation  V  in  the  required  length. 
Subsubsubcase:  K"  /  K1  or  t"  ^  t.  A  is  ( K t^-mean.  Furthermore,  rE~[  D 
af(A"',  t')  is  (K\  t')-ihce  and  T,  (rAn  D  af(A"',  t.'))  D  af  (A'',  t ')  is  pleasant.  Thus, 
we  may  use  the  i.h.  with  K'  and  t'  instead  of  K  and  t  on  B\  to  produce  a 
derivation  B‘ [  of  E;  T,  (rAn  D  af(AT/,  t'))  D  af(K\  t')  rE~l  D  af(AT/,  tf)  with  a 
length  no  greater  than  that  of  B\. 

We  may  use  the  i.h.  with  K  and  t  on  V2  to  produce  a  derivation  T> 2  of  E;  T,  (rAn  D 
af(A"',  t' ))  D  af(A"/,  t'),  af(Kr,  t ')  =>  D  with  a  length  no  greater  than  that  of  T>2- 
To  make  B'  of  the  required  length  combine  B[  and  T> 2  with  DL. 

Case:  When  VL  is  the  last  rule  applied  in  B,  the  principal  formula  cannot  be  A  since  A  is  ( K ,  t)- 
mean.  Thus,  it  must  be  in  T.  Since  T  is  pleasant,  the  principal  formula  must  have  one  of  the 
following  forms:  r(K,)E~l  =  \/x.(rEn  D  af(A',,x))  D  af(A'',x)  or  rVx.An  =  \/x.rEn. 

V! 

Subcase:  V  =  gj P  jjOg].  (r^n  ^  af  (K1 ,  tj)  D  af  (K> ,  t'),A^D 

E;r,r(A'')An,A  =►  D  VL 

r,r(A'/)A_l,  (rAn  D  af D  af(A"/,t')  is  pleasant.  By  the  i.h.  on  B\,  we  know  that 
E;  T,  r(K')E~l,  (rAn  D  af(A"',  t '))  D  af(A'/,  t')  =>  A  has  a  derivation  with  a  length  no 
greater  than  that  of  B\ .  Make  B’  by  extending  B\  with  VL  to  prove  S;  T,  r(K')En  =^-  D 
in  no  more  steps  than  B. 
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Subcase:  V  =  VI 

E;r,Vi.rE"\.4  =>  D 

By  Lemma  D.l,  [t'/x]rE^  is  equal  to  r[t' /x\En.  Thus,  T, \/x.rEn,  [t1  /x]rEn  is  pleasant. 
By  the  i.h.  on  T> i,  S;  T,  Vx.rAn,  [t'/x]rEn  =7  D  has  a  derivation  T>[  with  a  length  no 
greater  than  that  of  T>\ .  Make  V  by  extending  T>[  with  VL  to  prove  S;  T,  Vx.rEn  =7-  D 
in  no  more  steps  than  V. 


Case:  VR  is  the  last  rule  in  T>.  In  this  case  D  must  have  the  form  r(K)C~'  or  Vx.rCn  since  D  is 
(K,  t)-nice. 


Subcase:  V  =  V gj £,  A  ±  fCT  3  af(g, ,.))  Z»  af(A',  a) 

E;r,A  =>  r{A')C"1 

Note  that  a  is  fresh  and  does  not  equal  t,  and  that  r(K)C~l  is  Vx.(rC'_l  D  af (K,x))  D 
af  (K,x).  Since  A  is  (K,  f)-mean  and  a  is  fresh  and  not  in  A,  A  is  (K,a)- mean.  (rC'_l  D 
af (K,a))  D  af (A,  a)  is  (K,a)- nice.  By  i.h.  on  T>\,  £,a;T  =7  (rCl_l  D  af(A',  a))  D 
af  (K ,  a)  has  a  derivation  with  a  length  no  greater  than  that  of  T>\ .  Make  V  by 
extending  V[  with  VR  to  prove  =>  Vx.(rC'_l  D  af (K,x))  D  af (K,x),  which  is 
£;  T  =7  r(K )Cn,  in  no  more  steps  than  V. 


Subcase:  V  =  £e«;L,  A  =>  [a/x]rCn 

E;T,A^Vx.rCn  Vn 
Note  that  [a/x]rCn  is  equal  r[a/x]C'~l  by 
So  we  may  use  the  i.h.  on  V\  to  conclude 
with  a  length  no  greater  than  that  of  T>\. 
S;  T  =^>  VxTC'”1  in  no  more  steps  than  V. 


Lemma  D.l.  Thus,  [a/x]rCn  is  (A,  t)- nice, 
that  S,a;T  =7  r[a/x]C'~l  has  a  derivation  V[ 
Make  V  by  extending  V[  with  VR  to  prove 


□ 


E.2  More  Definitions 

To  prove  soundness,  we  will  prove  a  stronger  statement  of  formulas  of  a  certain  form.  A  sequent 
S;T  =>■  7  is  regular  iff  one  of  the  following  sets  of  conditions  hold: 

1.  (a)  7  =  rAn  and 

(b)  All  assumptions  in  T  have  the  form  rBn 

2.  (a)  7  =  af  (A,  a)  for  a  parameter  a, 

(b)  all  assumptions  in  T  have  the  form  rBn  or  (rCl_l  D  af (AT,  a))  D  af(A', a),  and 

(c)  a  occurs  only  inside  assumptions  of  2nd  form. 

Let  the  inverse  translation  lAj  be  defined  by  Table  2  and  lT,  Aj  =  lTj,  lAj  and  l-j  =  •.  Note 
that  A  =  LrAnj  for  all  propositions  A  of  INLL. 

If  the  hypothesis  context  T  is  pleasant,  then  every  formula  in  T  has  the  form  rCn,  af(A",  f), 
rCn  D  af (K,t),  or  (rC'~l  D  af (K,t))  A  af(iv,  t).  Let  Tj  denote  T  restricted  to  only  those  formulas 
of  the  form  rCn.  Let  Tj  denote  those  formulas  of  the  remaining  three  forms.  So  T  =  r|,T|. 
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lPj  =  P 


i_Ai  A  A2J  =  lAi J  A  LA2J 
lAi  V  A2J  =  lAi j  V  lA2j 
lAi  D  A2j  =  lAij  D  lA2j 
lTj  =  T 
1 _ I — 1  =_L 

lV.t.(A  D  af (K,x))  D  af(A",  x)j  =  ( K)\_Aj 
l (A  D  af(A",  a))  D  af(A»j  =  (A")lAj 

Table  2:  Inverse  Translation  Rules 


E.3  The  Theorem 

Soundness  is  corollary  to  the  following  theorem. 
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Theorem  E.2. 


1.  if  E;  Tn  =>  P4n,  then  T  ^  A. 

2.  if  E,  a;  T,  rDn  D  af(A',  a)  =4>  af(A',  a)  and  S,a;T  =>  af (A',  a)  is  regidar,  then  lFj  =>■ 
K  affirms  D. 

Note  that  since  E;T  =>■  A  and  E,a;T  =4>  af (A',  a)  is  regular,  i_rj  and  i_Aj  are  defined. 

Since  i_rAnj  =  A.  the  statement  (i)  is  equivalent  to 
(i’)  if  E;  T  =>■  A  and  E;  T  A  is  regular,  then  lFj  =$■  \_Aj. 


Proof.  Now  we  prove  (i)  and  (ii)  by  simultaneous  induction  on  the  derivation  V  of  E;  T  A  and 
£  of  E,  a;  T,  rD~'  D  af(AT,  a)  =»  af (AT,  a). 


Case:  V  =  . 


S;T,Pn  =>  rPn 
l.T,P=>P  bylNIT 
Case:  £  = _ 


INIT 


INIT 


E,  a;  T,  rA>n  d  af  (AT,  a)  =>  af  (AT,  a) 

Since  T  is  regular,  it  will  not  contain  af (K,a)  as  an  assumption.  Thus,  INIT  cannot  be 
applied  and  need  not  further  consider  this  case. 


Case:  V  = 


E;  rr,  _Ln  =>  rAn 
1.  r,  _L=>  A  by  AL 
Case:  £  = 


_L  L 


E,  a;  T,  _L,  rDn  D  af  ( K ,  a)  =4>  af  (It',  a) 
1.  i_r_i,_L=^  K  affirms  D  by  _LL’ 

Case:  V  ends  with  VR. 

Vi 


_L  L 


VR 


Subcase:  V  =  S,a;rr ^  [a/x]rCC 
S;rrn  Vx.rCn 

No  B  exists  such  that  rPn  is  equal  to  VxTC1”1  =  rVx.Cn.  Thus,  we  need  not  further 
consider  this  case. 

Subcase:  V  =  =»  (rCn  D  af(A»)  D  af  (it',  a) 

E;  rrn  Vx.(rCn  D  af  (A',  x))  D  af  (A,  x) 

Note  that  r(K)C~'  =  Vx.(rCl_l  D  af(A',  x))  D  af (K,x).  We  know  that  E,  a;  rrn,  rCn  D 
af(A',  a)  =>  af(A',  a)  has  a  derivation  £\  by  inversion  on  premise.  Thus,  T  =>  K  affirms  C 
by  i.h.  (ii)  on  £\.  This  yields  T  (K)C  by  ()R  and  since  Lrrnj  =  T. 

Case:  £  ends  with  VR.  This  cannot  happen  since  af(A',  a)  does  not  have  the  form  Vx.C.  We  need 
not  further  consider  this  case. 


Case:  V  ends  with  VL. 
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Subcase:  V 


Vi 

_X-,rr^,\/x.rCn,r[t/x]Cn^rA-1 

X;'T",,V®.rCn  =>•  rA~'  VL 
No  B  exists  such  that  rB n  is  equal  to  VxTC1-1  =  rVx.Cn.  Thus,  we  need  not  further 
consider  this  case. 

Vi 

Subcase:  V  =  gj ^  r(K)Cf  ifC^  D  af  (A,  a))  D  af (A,  a)  =» 

X;rTn,r(A')Cn  =>  rAn  VL 

rrn,r(A')C'n  is  pleasant.  (rCn  D  af(A,  a))  D  af(A,  a)  is  (A',£')-mean  and  rAn  is 
(AT7,  V)-nice  for  any  K’  f  K  and  t!  f  a.  Thus,  X;  rrn,  r(K)C~>  =>  rAn  has  a  derivation 
that  is  shorter  than  or  equal  to  V\  in  length  by  Lemma  E.l.  We  may  use  i.h.  (i)  on 
V\  to  yield  T,  (K)C  =>  A. 


Case:  £  ends  with  VL. 


Si 

Subcase-  £  =  rpn  V  af(A',q)  =»  af(A,q) 

X,  a;  T,  Vx.rCn,  rD ">  D  af  (AT,  a)  =>  af  ( A,  a)  VL 

Vx.rCn  cannot  be  in  T  since  T  is  regular  and  no  B  exists  such  that  rLP  is  equal  to 
Vx'ACT  Thus,  we  need  not  further  consider  this  case. 

Subcase:  £  is 


£1 

X,  a;  T,  r(A')Cn,  (rCn  D  af  (A7,  f))  D  af  (A7,  V),  r^n  3  af  (A,  a)  =►  af  (A,  a) 
X,  a;  T,  r(A')Cn,  rZA  D  af  (A,  a)  =*  af  (A',  a) 


VL 


Now  we  consider  the  following  cases: 

Subsubcase  K’  f  A  or  f  a. 

T,  r(K')C~i,  rDn  D  af(A,  a)  is  pleasant  since  T  is  regular,  af(A',  a)  is  (A,  a)-nice, 
and  (rC~l  D  af(A7,i7))  D  af(A7,i7)  is  (A,  a)-mean.  Thus,  X,  a;  T,  r(A/)Cn,  rD~l  D 
af  (A",  a)  =>  af  (A,  a)  has  a  derivation  £{  that  is  shorter  than  or  equal  to  £\  in  length 
by  Lemma  E.l.  By  h.i.  (ii)  on  £[,  we  prove  i_T,  r(A/)Cnj  =>  K  affirms  D. 
Subsubcase  K'  =  K  and  t'  =  a. 

1.  lT,  r(A')C'_l,  (rCn  D  af(A,  a))  D  af(A,  o)j  =>  K  affirms  D 

by  i.h.  (ii)  on  £\ 

2.  lTj,  {K)C,  (. K)C  =>  A  affirms  D 

by  definitions  of  l-j  and  r-n 

3.  lTj,  ( K)C  =$■  A  affirms  D 

by  strengthening 


Case: 


Vi 

v=  X;rTn,R4n  =►  rB^ 
X;rTn  =t>  D  rRn 


D  R 


1.  T,  A  =>•  A  by  i.h.  (i)  on  T>i 

2.  T  =>  A  D  A  by  DR 
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Case:  £  ends  with  I)R.  This  cannot  happen  since  af  (K,a)  is  not  an  implication.  We  need  not 
further  consider  this  case. 

T>i  T>2 

Casft:  v  =  E;  rTn,  rPn  D  rCn  =»  rPn  E;  rTn,  rPn  D  rCn,  rCn  =>  rAn  _ 

E;  rTn,  rBn  D  rCn  rAn  DL 

1. r,BDC4B  by  i.h.  (i)  on  Pi 

2.  T,  L>  D  C,  C  =4>  A  by  i.h.  (i)  on  T>2 

3.  T,B  D  C  =>■  A  by  I)L 

Case:  £  ends  with  dL. 

Subcase:  £  = _ ^ _  j 

S,  a;  T,  rPn  D  rCn,  rDn  D  af  (A',  a)  =>  af  (AT,  o) 
where  Pi  =  Pi 

E,  a;  T,  rPn  D  rCn,  rPn  D  af  ( A,  a)  =>  rPn 

and  P?  =  £2 

E,  a;  T,  rPn  d  rCn,  rCn,  rZT  D  af  (K,  a )  =»  af(A,  a) 

r,rPn  D  rCn  is  pleasant  since  T  is  regular.  For  all  t  f  a,  rDn  D  af(A',  a)  is  ( A,  t)- 
mean  and  rB~l  is  (A", f)-nice.  By  Lemma  E.l  on  Pi,  there  exists  a  derivation  T>[  of 
E,  a;  r,  rBn  D  rCn  =4>  rBn  that  has  a  length  no  greater  than  that  of  Pi. 

Since  no  formula  can  contain  every  term  t ,  every  formula  in  T j  is  (A,  f)-mean  for  some 
t.  Furthermore,  rBn  is  (A",  f)-nice  for  all  t.  Removing  formulas  from  T  will  never  result 
in  r  no  longer  being  pleasant.  Thus,  we  may  use  Lemma  E.l  over  and  over  again  to 
remove  every  formula  in  F  j  from  the  hypothesis  context  starting  on  Vf  This  results  in 
a  derivation  P"  of  E,a;r|,rPn  D  rCn  =>  rBn  with  a  length  no  greater  than  that  of 
Pj .  Since  TJ,  has  only  formula  of  the  form  rAn,  we  can  use  i.h.  (i)  on  T>'[  to  prove  that 
l-TUBdC^B. 

By  i.h.  (ii)  on  £2,  i.Tj,B  D  C,C  =i  K  affirms  D.  Combining  D  C  =>  B  and 

D  C,C  I\  affirms  D  with  I)L  and  weakening  produces  a  proof  of  \_T_i,B  D 
C  K  affirms  D  as  needed. 

Subcase:  £  is 

Pi  S 2 

E,  a;  T,  rDn  D  af(A,  a)  =>  rPn  E,  a;  T,  rPn  D  af(A,  a),  af(AT,  a)  =>  af(A^,  a)  t 
E,  a;  T,  rDn  D  af  ( A,  a)  =>  af  ( A,  a)  D  L 

r  is  pleasant  since  T  is  regular.  For  all  t  f  a,  rDn  D  af(AT,  a)  is  (K,t)- mean  and  rL>n 
is  (A', f)-nice.  By  Lemma  E.l  on  Pi,  there  is  a  derivation  T>[  of  E,a;T  =>  rD~l  with  a 
length  no  greater  than  that  of  Pi.  As  above,  we  may  apply  Lemma  E.l  over  and  over 
again  to  remove  every  formula  of  T|.  This  yields  the  derivation  P"  of  E,a;rj,  =>  rD~l. 
By  i.h.  (i)  on  P",  i_rj,j  =4-  D.  Using  the  inference  rule  affirms  and  weakening  yields 
lTj  =>  A  affirms  D  as  needed. 

Subcase:  £  =  _ 1 7  where 

E,  a;  T,  (rCn  D  af(K,  a))  D  af(A,  a),  rPn  D  af(K,  a)  =»  af(K,  a) 

T\  is  the  derivation 

Pi 

E,  a;  T,  (rCn  D  af  ( A,  a))  D  af(AT,  a),  rPn  D  af  ( A,  a)  =>  rCn  D  af  (A',  a) 
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-_L  L 


VF 


<K 


r,±h7 

r  h  (if) A  r,Ah  if  affirms  C 

T  h  if  affirms  C 


0  E 


Figure  3:  Natural  Deduction  for  INLL 


and  J~2  is  the  derivation 

S2 

S,  a ;  T,  (rCn  D  af  (if,  a))  D  af  (if,  a),  rDn  D  af  (if,  a),  af  (if,  a)  =7  af (if,  a) 

S,a;T,  (rCn  D  af(if,  a))  D  af(ff,  a),  rD~'  D  &i(K,  a),rC~'  =7  af  (if,  a)  has  a  deriva¬ 
tion  by  inversion  of  the  first  premise.  From  i.h.  (ii)  on  T>[,  we  can  prove  that 
Lr,  (rCn  D  af(if,  a))  D  af  (if,  a),  rC'_lj  =7  it'  affirms  D.  By  the  definitions  of  r-n  and 
l-j,  we  get  (K)C,C  =7  K  affirms  D.  ()L  produces  i_r_i,  (K)C  =7  K  affirms  D  as 
needed. 


□ 


F  Proof  of  Completeness  for  Linear  Translation 

We  first  construct  a  natural  deduction  system  for  INLL.  This  is  provably  equivalent  to  the  sequent 
calculus  of  Section  A.  The  proof  is  relatively  straightforward  and  we  omit  it  here.  The  basic 
hypothetical  judgments  has  the  form  Th7  where  7  =  A  or  7  =  if  affirms  A.  The  system  is  shown 
in  Figure  3. 

Theorem  F.l  (Equivalance).  T  A  7  if  and  only  ifT  =7  7. 

Proof.  Straightforward  extension  of  standard  proofs.  See  for  instance  [HowOl].  □ 

Theorem  F.2  (Completeness). 

1.  IfT  A  A  in  INLL,  then  "T"";  •  in  ILL. 

2.  IfT  A  K  affirms  A  in  INLL,  then  "T-";  ^A^  D  af  (If)  af  (if )  in  ILL. 
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Proof.  We  perform  a  simultaneous  induction  on  the  given  derivations,  and  analyze  cases  on  the 
last  rule. 


Case: 


rhyp 


T,A  b  A 
To  show:  "T"",  [r^4~n;  • 


""A"". 


1.  "T"",  [ry4_tl;  [r^4_n  zz|  A ~h  by  init 

2.  ^T1,  [ry4_tl;  •  "“A-11  by  copy  on  1 


Case: 


T,dh5 

— - D  / 

Th  Ad  B 


To  show:  "T'Tj  •  =1  [rA~n  D  B T 

1.  [rr_T1, A _n;  •  =1  B ^  by  i.h. 

2.  •  =1  [r A _n  D  h- B by  Rule  D  R  on  1 


ThiDB  Thd 

Case:  - D  E 

Th5 

To  show:  ""T-";  •  =4  r61. 

1.  z4  [rA'n  D  rB^ 

2.  rrT~n;  •  z4  ^A'1' 

3.  rTTni;[rJB’T1  z4  rB1 

4.  "T-"; "'A-11  D  rB1  =t  rB1 

5.  "T’V  z4  ""S'11 

r  h  a  r  h  b 

Case:  - A / 

n- aab 

To  show:  •  =4  A ^  &  r61. 

1.  rrrni;  •  =1  ’’"A-0  by  i.h.  premise  1 

2.  rrrni;  •  =1  r5""  by  i.h.  premise  2 

3.  frT~n;  •  =4  ""A-11  &  ^B^  by  Rule  SzR  on  1,2 

T\~  AaB 

Case:  - A E\ 

T\~  A 


To  show:  "T”";  •  =1  A ~n. 

1.  "T-";  •  ^  irA~n  &  rB^ 

by  i.h. 

2.  trT^'-[rA'1'  z4  "'A'1' 

by  Rule  init 

3.  "T-";  &  "CB-"  z4  ^A^ 

by  Rule  SzL\  on  2 

4.  "T-";  •  z4 

by  Cut  1,3 

rhiAfi 

Case:  - AEo 

T  \~  B 

To  show:  irT~r;  •  =4  r61. 
Similar  to  previous  case. 


by  i.h.  premise  1 
by  i.h.  premise  2 
by  Rule  init 
by  Rule  D  L  on  2,3 
by  Cut  1,4 
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Case: 


T  \~  A 


- V/i 

rhivB 

To  show:  (FbF1)  ©  (FRF). 

1.  ri11  by  i.h. 

2.  ^r-11;  •  by  Rule  !R  on  1 

3.  "“r-11;  •  z4  (FbF)  ©  (FRF)  by  Rule  ©Ri  on  2 


Case: 


ThB 

r  b  a  mb 


v/2 


To  show:  •  =$  (FbF)  ©  (FRF). 

Similar  to  previous  case. 


ThAvB 

Case:  - 


r,ihc 
r  h  c 


T,B\~C 
— - \/E 


To  show:  nT'~n;  •  z4  ^ C F 

1.  H'FFFb  z4  n"C'"n 

2.  "T"";  FtF  =4  C "n 

3.  rH,r^;-  F  rfF 

4.  n"r"n;FR~n  z4  n~C'"n 

5.  "T"";  (FbF)  ©  (FR^)  F  r(F 

6.  "T"";-  z4  (!r41)®(FB^) 

7.  "T-";  •  z4  "'fF 


by  i.h.  premise  2 
by  Rule  \L  on  1 
by  i.h.  premise  3 
by  Rule  !L  on  3 
by  Rule  ©R  on  2,4 
by  i.h.  premise  1 
by  Cut  6,5 


ThiVB  T,  A  b  if  affirms  C 

Case:  - - - - - 


r,  B  b  K  affirms  C 

— - - - VR 


T  b  K  affirms  C 

To  show:  n_r_n;rrC'_r  D  af(if)  af(if). 

1.  "T"",  FF;  rfF  D  af (if)  =t  af(if) 

by  i.h.  premise  2 

2.  "T"";  FA"",  ^RF  D  af (if)  ^  af (if) 

by  Rule  !R  on  1 

3.  "T-",  rF  D  af(if)  z4  af  (if) 

by  i.h.  premise  3 

4.  "T"";  FR~",  ""CF  D  af  (if )  =$  af  (If ) 

by  Rule  !R  on  3 

5.  "T"";  (F^F1)  ©  (FR^),FF  D  af(if)  z4  af(if) 

by  Rule  ©R  on  2,4 

6.  "T"";-  z4  (FbF)  ©  (FR~") 

by  i.h.  premise  1 

7.  "T""; "" C 'n  D  af  (if)  ^  af  (if) 

by  Cut  6,5 

Case:  - TR 

r  b  t 

To  show:  •  z4  T. 

Follows  immediately  by  rule  TR. 


Case:  - T  L 

r,Th  c 

To  show:  "T"",  0;  •  F  C T 

1.  rr11,  0;  0  Z4  irC,"n  by  Rule  OR 

2.  "T"",  0;  •  F  rr C “h  by  Rule  copy  on  1 
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Case: 


- _L  L 

T,  _Lb  A  affirms  C 

To  show:  ^r^1,  0;  [rC'_n  D  af(A)  z4  af(A'). 

1.  "T"",  0;  0,  D  af  (A)  =4  af  (if)  by  Rule  0 L 

2.  "T"",  0;  [rC'_n  D  af(A")  z4  af(A)  by  Rule  copy  on  1 

Th  A 

Case:  - affirms 

T  b  A  affirms  A 

To  show:  D  af(A')  af(A). 

1.  •  z4  "“A-11  by  i.h. 

2.  rrr'n;af(A')  z4  af(A)  by  Rule  init 

3.  rrrni;  ^A1  D  af(A)  zzj  af(A)  by  Rule  D  L 


T  h  A  affirms  A 

Case:  - - — - - ()I 

T  b  (K)A 

To  show:  •  14  (^yL11  D  af(A))  — o  af(A'). 

1.  ^r-11;  rr^4_n  D  af(A")  zb  af(A")  by  i.h. 

2.  ^r-11;  •  z4  ("“yW1  D  af(A))  — °  af(A)  by  Rule  on  1 


Case: 


r  b  (A)H  T,  A  b  if  affirms  C 


()E 


T  b  AT  affirms  C 
To  show:  ^T^1;  [rC'11  D  af(A')  af(A'). 

1.  (rr-n,  D  af (if)  z4  af(if) 

2.  "T"";  D  af  (A)  z4  ""  D  af  (if ) 

3.  T";  af  (A)  z4  af(A) 

4.  "T"";  (""A-"  d  af  (A))  -o  af  (A),  D  af(A) 
z4  (""A-"  D  af  (A))  -o  af  (A) 

'C,'n  D  af  (A)  z4  af  (A) 


5.  "T1 

6.  "T1 


af  (A) 


by  i.h.  premise  2 
by  Rule  D  R  on  1 
by  Rule  init 
by  Rule  — °L  on  2,3 
by  i.h.  premise  1 
by  Cut  5,4 


□ 


Proof  of  theorem  f.l. 

1.  Suppose  T  =A  A.  By  theorem  F.l,  Th  A.  Hence  by  theorem  F.2,  H11;  • 


""A"". 


2.  Suppose  r  =A  A  affirms  A.  By  theorem  F.l,  T  b  K  affirms  A.  Hence  by  theorem  F.2, 
Tf ^;rA^  D  af(A)  z4  af(A). 


□ 


G  Proof  of  Soundness  for  Linear  Translation 

To  prove  soundness,  we  need  some  basic  properties  of  proofs  in  INLL  and  ILL.  We  mention  these 
properties  below.  The  proofs  of  these  properties  are  straightforward. 

Lemma  G.l  (Structural  Properties  of  INLL  Proofs).  The  following  hold  in  INLL. 
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1.  (Weakening)  IfT  =4*  7,  then  T,  A  =4>  7. 

2.  (Strengthening)  If  T,  A,  A  =>  7,  then  T,  A  =>•  7. 

Proof.  Both  properties  follow  by  a  straightforward  induction  on  the  given  derivations.  □ 

Lemma  G.2  (Inversion  in  ILL).  The  following  hold  in  ILL. 

1.  If  T;  A,  !t4  zz$  B ,  then  T,  A;  A  B  by  a  shorter  or  equal  derivation. 

2.  If  T;  A  =1  A  D  B ,  then  F,A-,  A  B  by  a  shorter  or  equal  derivation. 

Proof.  Both  properties  follow  by  a  straightforward  induction  on  the  given  derivations.  □ 

Finally,  we  prove  soundness.  We  have  to  generalize  the  statement  of  the  theorem  to  facilitate 
induction. 

Theorem  G.3  (Soundness).  Let  if  =  {af  (K\), ...,  af  (Kn)}  be  a  multi-set  of  assumptions  for 
some  n  >  0.  The  following  hold: 

1.  If  rrA~n,  if  h” A1',  then  T,  A  =>-  A. 

2.  If  rA1,  if  z^WA'1',  then  T,  A  =$■  A. 

3.  If  h- A-0,  ^A^  D  af (K),if  zy  af (K)  and  af(A')  ^  if,  then  r,  A  =>  It  affirms  A. 

4 ■  If  ""A1,  if  zy.  af  (K)  and  af  (K)  if,  then  T,  A  =>-  K  affirms  A. 

Proof.  We  prove  this  theorem  by  a  simultaneous  induction  on  the  depth  of  the  given  derivations. 


Proof  of  statement  (1) 


Case: 


-init 


irpui.  (r^3~n  — ^  rrjjui 

To  show:  r,  P  =y  P. 

This  follows  immediately  by  rule  init. 


Case: 


rr^,  "" A-",  rl1,  if  z4  rB~ 


-copy 


T1,  rrJ4'n;  ^  A-",  if  z4  ^ B ^ 

To  show:  r,  A,  A  =>  B. 

1.  r,  A,  A,  A  =4-  B  by  i.h. 

2.  r,  A,  A  =4-  B  by  Strengthening  on  1 


Case: 


"“A-",  if  [rJ4_n  [rr_n;  ^A-11,  if  rB 


"T"";  rrA_n,  ^  : 
To  show:  r,  A  =>  A  A  B. 


""A""  &  [rB“n 


■kR 


1.  r,  A  =4>  A  by  i.h.  premise  1 

2.  r,  A  =4>  B  by  i.h.  premise  2 

3.  T,  A  =4>  A  A  B  by  Rule  A R  on  1,2 
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Case: 


irrni zz| 


frr_n;  rA1,  ""A""  &  ^  z4  [rCl_n 

To  show:  r,A,4AB^C. 

1.  T,  A,  A  =>  C  by  i.h. 

2.  T,  A,  A  A  B  =>•  C  by  Rule  ALi  on  1 


Case: 


Case: 


rrr-r;  rrA-r;  rrS-r^  _j  ir^m 

frr_n;  ""A"",  ,rA_T1  &  ""B1,  ip  =t  r C "n 
To  show:  r,A,4AB  =$■  C. 

Similar  to  previous  case. 

rr1,;rA1,,^^!rJ4ni 


-$zLr> 


T"";  ir^-n^  -j  (F^n)  0  (Fg-n) 
To  show:  r.A^iVB. 

1.  T,  A  A  by  i.h. 

2.  T,  A  =$■  A  V  B  by  Rule  Vi?i 


©i?l 


^r-11;  h'A1,  ip  z^FR-0 

Case:  - - @Ro 

"T"";  ip  =4  (!n”A“n)  ©  (FR^) 

To  show:  r,A=>iVB. 

Similar  to  previous  case. 


Case: 


"T"";  ""A-11,  ip  =t  [rC,_n  rH;  !rB"", "" A-11,  ip  =*  r C "n 


"T-";  (FA"")  0  (rBi);r a-",  ip 
To  show:  r,iVB,A=^C. 


rrRHi 


1.  "T"",  [rA-n;  ^  A^,  ip  A 

2.  "T"",  "'R-11;  rA1,  V’  =4  [rC_T1 

3.  r,A,  A  =►  C 

4.  r,R,  A  =>  c 

5.  r,4vB,A=^C 


by  Inversion  premise  1 
by  Inversion  premise  2 
by  i.h.  on  1 
by  i.h.  on  2 
by  Rule  VL  on  3,4 


Case: 


nT1,;rA11,^  A  T 


TR 


To  show:  T,  A  =>•  T. 


Follows  immediately  by  rule  T R. 


Case:  - 0 L 

irA1,  0,  ip  z4 

To  show:  r,  A,  T=>  A. 

Follows  immediately  by  rule  T  L. 


Case: 


rr_I1;  rrA_I1,  ip,  [rA^1  D  af(/F)  A  af(BT) 


^r-";  n^A1,  ip 
To  show:  T,  A  = 


t  d  af(K)) 
(K)A. 


•  af(BT) 


oR 


©L 
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Case: 


1.  T,  A  =>  K  affirms  A  by  i.h. 

2.  T,  A  =>  ( K)A  by  Rule  ()R  on  1 

^r11;  V’l  =4  ir^4_n  D  af  (K)  ^T-";  rrA2~11,  ip2,  af  (K)  z4  rrC_n 

"T"";  !rA2^],  fa, fa,  (""A""  D  af  (if))  -o  af(A")  H  irC'"n 

To  show:  T,  Ai,  A2,  ( K)A  =>  C. 

1.  r,  A2  C  by  i.h.  premise  2 

2.  T,  Ai,  A2,  (K)A  =>  C  by  Weakening  on  1 

rr1,rA1;rA1,^  z4  n- B "n 
""A11,  -0  zz^  [rJ4_n  D  "’ll1 
To  show:  T,  A  =>  A  D  B. 

1.  T,  A,  A  =4>  B  by  i.h. 

2.  T,  A  =^>  A  D  B  by  Rule  D  R  on  1 


Case: 


nT"V=Jn"A"n  zz|  [rC_n 

"T-";  ^A11,  "AT"  D  "hR-",  i/j  =t  C 


D  L 


To  show:  T,  A,  A  D  B  C . 

1.  r  =>■  A  by  i.h.  premise  1 

2.  T,  A,  R  =>  C  by  i.h.  premise  2 

3.  T,  A,  A  D  B  =>  C  by  Rule  D  L  on  1,2 


Other  cases  do  not  apply. 


Proof  of  statement  (2) 


Case: 


T1,  "'A-11;  rrA~n,  rrd11,  ip 
nT'n,  "AC";  ""  A-",  ip  z|!^BT 


copy 


To  show:  T,  A,  A  =>  R. 

1.  r,  A,  A,  A  =>•  B  by  i.h. 

2.  T,  A,  A  =>■  1?  by  Strengthening  on  1 


(TRUI;  rrA-n  rr^ui  v,  -jjrr 
Case:  - - - - - — - kLx 

To  show:  T,  A,  A  A  B  =4-  C. 

1.  T,  A,  A  =>  C  by  i.h. 

2.  T,  A,  A  A  B  =>■  C  by  Rule  ALi  on  1 


nT'n:  rA1  JB1  ,ip  z^FC"" 

Case:  - - - - - - - hU 

nT~n-,!rA~R,n'A~nkirB~n,ip=}l,rC~n 

To  show:  r,  A,  A  A  B  =>  C. 

Similar  to  previous  case. 


oL 
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Case 


T"";  FA"",  "'A'11,  ip  =*FCni  rr1';  FR-",  rA1,  ip  ^FCF 


"T"";  (F^-n)  ©  (FFF),  "'A-'1,  ip  =*FC'"n 
To  show:  T,  A  V  -B,  A  =>■  C. 

1.  "T"",  irA'n;  ""A-",  ^  z4FC,-n  by  Inversion  premise  1 

2.  rrr-n,  FB-11;  [rAni,  ip  z4FC,-n  by  Inversion  premise  2 

3.  T,  A,  A  =>■  C  by  i.h.  on  1 

4.  T,  B,  A  =>•  C  by  i.h.  on  2 

5.  T,  A  V  B,  A  =>■  (7  by  Rule  VL  on  3,4 


©T 


Case: 


-0L 


Case 


Irr_n;  (rA'r,  0,  ip  z^FA-" 

To  show:  r,  A,  T=>  A. 

Follows  immediately  by  rule  _L  L. 

irr"n;irAi"n,i/)i  [rA~n  d  af(if) 


rr^;^A2^,^2,af(A")  z^FfF 


F1;  [rAi'n,  r A2^,  ipi ,  ip2 1  (F4^  D  af (if))  -o  af ( if)  =*F C "n 
To  show:  T,  Ai,  A2,  (K)A  =>•  C. 

1.  r,  A2  C  by  i.h.  premise  2 

2.  T,  Ai,  A2,  (if) A  C  by  Weakening  on  1 


oL 


Case: 


T' 


rrp-n.  ir^  rfli)  ^  ^lir^-n 


"T1;  irA'n,  r411  d  =tFCni 

To  show:  r,  A,  A  D  B  =>  C. 

1.  T  =£-  A  by  i.h.  premise  1 

2.  r,  A,  B  =>■  C  by  i.h.  premise  2 

3.  r,  A,  A  D  B  =4>  C  by  Rule  D  L  on  1,2 


D  L 


Case: 


"T" 


-\R 


Irr~n;  •  z^FA"" 

To  show:  T  =4>  A. 

Follows  immediately  by  i.h.  on  premise. 
Other  cases  do  not  apply. 


Proof  of  statement  (3) 

Case:  Rule  init  does  not  apply  since  the  consequent  af(ff)  cannot  occur  in  ^A”11  (by  definition) 
or  ip  (by  assumption). 

"T"", r  F1,  ’’"A”11,  D  af(if),  ip  z4  af(if) 

Case:  - - - - - - - - - - - copy 

F^,  irA"n;  ^A1,  D  &i(K),ip  zz|  af  (if ) 

To  show:  T,  A,  A  =>■  K  affirms  B. 

1.  T,  A,  A,  A  =>■  if  affirms  B  by  i.h. 

2.  r,  A,  A  =>■  K  affirms  B  by  Strengthening  on  1 
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rr_n;  [rA~n,  "FT11,  [rC'_n  ©  af (K),ib  =4  af(if) 

Case:  - - - - - - - -ffi- - — - -kLx 

"T"";  [r^4_T1  &  <tb^,  r C ""  D  af(if),  ^  z4  af(if) 

To  show:  r,A,.4AS  if  affirms  C. 

1.  T,  A,A  =>  if  affirms  C  by  i.h. 

2.  T,  A,  A  A  B  ^  K  affirms  C  by  Rule  A L[  on  1 


"T"";  ^A1,  r B ©  af  (K),ib  z4  af  (if) 

Case:  - - - - - - - — — - — - &A2 

T1;  ^A^,  irA"n  &  FB^, "" C ""  ©  af  (if),  tf)  =4  af(if) 

To  show:  T,  A,  ^4  A  A>  =A  if  affirms  C. 

Similar  to  previous  case. 


rT^;  FA-",  ^A^, "" C "n  ©  af  (if ),  ^  z4  af  (if ) 

T1;  FB"",  irA"n,  ©  af  (if),  V’  =4  af  (if) 

Case:  - ©A 

T1;  (FA"")  ©  (FR^)AA^AC^  ©  af(if),  ip  z4  af(if) 


To  show:  T,  A  V  B,  A  =>  A"  affirms  C. 

1.  T-",  irA~n;  ""  A-",  irCTn  ©  af(if),  ip  af(if) 

2.  "T-",  rF;  ^A1,  rF  ©  af  (if),  =1  af  (if) 

3.  T,  A,  A  =>■  if  affirms  C 

4.  T,  A,  A  =►  if  affirms  C 

5.  r,4vB,A^  if  affirms  C 


by  Inversion  premise  1 
by  Inversion  premise  2 
by  i.h.  on  1 
by  i.h.  on  2 
by  Rule  VA'  on  3,4 


Case:  - - - — OA 

’’"AT  0,  rA^  ©  af(if),  if)  z4  af  (A') 

To  show:  T,  A,  T=>  if  affirms  A. 

Follows  immediately  by  rule  T  A'. 


rT^;  irAi_n,  ipi  z4  ©  af(if')  "T-";  ^A2  A  ©  af  (if),  ^2,  af(if')  z4  af  (if) 
'  "T-";  [rAi~n,  [rA2_n,  V’i,  ^2,  r(/f')C,'n,  r41  ©  af  (A')  =*  af(if) 

To  show:  T,  Ai,  A2,  (K')C  =>  I\  affirms  A. 

We  have  two  possibilities:  either  K  =  K'  or  K  ^  K' . 


Subcase:  K  =  K' 

1.  irr"n,rC,"n;irAi",,,^i  ^4  af(if) 

2.  r,  Ai,  C  if  affirms T 

3.  T,  Ai,  A2,  (K)C  =$■  if  affirms  C 

4.  T,  Ai,  A2,  (K)C  =>•  if  affirms _L 

5.  T=>  K  affirms  A 

6.  T,  Ai,  A2,  (K)C  =A  if  affirms  A 

Subcase:  if  /  if' 

1.  T,  A2  =»  if  affirms  A 

2.  T,  Ai,  A2,  ( K')C  =©  A"  affirms  A 


by  Inversion  premise  1 
by  i.h.  on  1 
by  Reasoning  in  INLL 
by  Theorem  2.1  on  3,2 
by  Rule  T  A' 
by  Theorem  2.1  on  4,5 


by  i.h.  premise  2 
by  Weakening  on  1 


Case: 


irr"n;n"Ai"n,^i,irA"n  ©  af(if)  z4  irCTn  ©  af(if')  "T-";  y>2,  af(if')  =4  af(if) 

'A2^,V’i,V’2,M^')CAF4^  ©  af(if)  H  af(if) 


oL 
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To  show:  T,  Ai,  A2,  ( K')C  =A  A  affirms  A. 

We  have  two  possibilities:  either  A  =  K'  or  A  f  K' . 


Subcase:  A  =  K' 

1.  rrT^,!rC^;!rA1^,if1,,rA'J]  D  af (A)  =1  af (A) 


2.  T,  Ai,  C  =>•  A  affirms  A 

3.  T,  Ai,  A2,  ( K)C  =>  A  affirms  C 

4.  T,  Ai,  A2,  ( K)C  =>  A  affirms  A 
Subcase:  A  f  K' 

1.  T,  A2  =>  A  ajfirmsB 

2.  _L=>  A  affirms  A 

3.  T,  A2  =>  A  affirms  A 

4.  T,  Ai,  A2,  ( K')C  =>■  A"  affirms  A 


by  Inversion  premise  1 
by  i.h.  on  1 
by  Reasoning  in  INLL 
by  Theorem  2.1  on  3,2 

by  i.h.  premise  2 
by  Rule  T  L' 
by  Theorem  2.1  on  1,2 
by  Weakening  on  3 


ir411  ^T^11;  rA1,  if,  af  (AT)  A  af  (AT) 

Case:  - - — - - - - D  L 

^T-";  ^A-11,  if,  ^ D  af(A)  A  af(A) 

To  show:  T,  A  =>-  A  affirms  A. 

1.  r  =>■  A  by  i.h.  premise  1 

2.  r  A  affirms  A  by  Rule  affirms  on  1 

3.  T,  A  =^>  A  affirms  A  by  Weakening  on  2 


"T"";  •  A  "T-11;  ""  A"",  if, r C ""A""  D  af  ( A)  af  ( A) 

Case:  - D  L 

rH;  ^A1, "" B d  n"C,"n,  rA^  D  af  (A),  if  A  af(A) 

To  show:  T,  A,  B  D  C  =>■  A  affirms  A. 

1.  r  =>•  B  by  i.h.  premise  1 

2.  T,  A,  C  =>  A  affirms  A  by  i.h.  premise  2 

3.  T,  A,  A  D  C  =>■  K  affirms  A  by  Rule  D  A'  on  1,2 

No  other  case  applies. 

Proof  of  statement  (4) 

Case:  Rule  init  does  not  apply  since  the  consequent  af(A')  cannot  occur  in  ’’"A”11  (by  definition) 
or  if  (by  assumption). 

T11,  ^ A "11;  "'A1, [r A "11,  if  A  af  (A) 

Case:  - - - - - copy 

rT^,  ^AA  if  z4  af  (A)  J 

To  show:  r,A,  A  ^  A  affirms  A. 

1.  T,  A,  A,  A  =>  A  affirms _L  by  i.h. 

2.  T,A,A  =>■  K  affirms _L  by  Strengthening  on  1 


n^A^n  n~A~n,  A  A  af(A) 

Case:  - 1 1 - — - — - 

h^T^H;  (rA_T1,  "'A-'1  &  if  z4  af  (A) 

To  show:  r,A,iAB=^  A  affirms  A. 

1.  T,  A,  A  =£>  A  ajfirmsA  by  i.h. 

2.  T,  A,  A  A  B  =>  A  affirms!,  by  Rule  AT)  on  1 
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rrpTi.  rB^,  if)  af  ( K ) 

Case:  - - &A9 

"T-";  ""A1,  Iri11  &  rrB1',  ip  ^  ai (K) 

To  show:  T,  A,  A  A  B  =>  K  affirms -L. 

Similar  to  previous  case. 

T1;  FA"",  ""A"",  ip  =4  af(AT)  [rT~r;  F£^,  ’’"A-",  ip  =4  af (X) 

Case:  - ©A 

"T"";  (lir^-n)  0  (FB-n)j  n-A-n,  ^  z4  af  (AT) 

To  show:  r,iVS,A^>  K  affirms  C. 

1.  nT'n,  Ir^l"n;  irA_n,  ^  =1  af(if)  by  Inversion  premise  1 

2.  "T"",  ’’"A-",  ip  z4  af(A')  by  Inversion  premise  2 

3.  T,  A,  A  =>■  A"  affirms T  by  i.h.  on  1 

4.  T,A,  A  ^  AT  affirms X  by  i.h.  on  2 

5.  T,4  VB,A  =>  AT  affirms  A.  by  Rule  VA'  on  3,4 

Case:  - — OA 

rrT_n;  ""A1,  Q,ip  =$  af  (A') 

To  show:  I\  A,  K  affirms T. 

Follows  immediately  by  rule  T  Ah 

T1;  irAi'n,  V>i  =4  irC'~n  D  af(Aw)  "T-";  rA2^,  1P2,  af(Aw)  z4  af(A") 

Case:  - ; - 

n-Ai-n,  rA2i  <r{K')C^  af(A) 

To  show:  r,  Ai,  A2,  (K')C  =>  AT  affirms  A. 

We  have  two  possibilities:  K  =  K’  or  K  7^  K'. 


Subcase:  K  =  K’ . 

1.  "T~n,irC'~n;,rAi'n,^i  ^4  af(AT) 

2.  T,  C,  Ai  =>■  K  affirms T 

3.  T,  Ai,  A2,  {K)C  =>  K  affirms  C 

4.  T,  Ai,  A2,  {K)C  =$■  K  affirms T 

Subcase:  K  /  K' . 

1.  T,  A2  =4>  K  affirms T 

2.  T,  Ai,  A2,  ( K')C  =>  I\  affirms T 


by  Inversion  premise  1 
by  i.h.  on  1 
by  Reasoning  in  INLL 
by  Theorem  2.1  on  3,2 


by  i.h.  premise  2 
by  Weakening  on  1 


Case 


T" 


‘AT 


T1;  r  A-",  ip,  rC^  z4  af(A") 


rP;  ^  A^,  irF1’  D  "" C "n,  'll)  z4  af  (AT) 
To  show:  r,A,BDC^  AT  affirmsB. 


D  A 


1.  r  =►  b 

2.  T,  A,  C  =4>  K  affirms T 

3.  T,  A,  B  D  C  =>■  K  affirms T 


by  i.h.  premise  1 
by  i.h.  premise  2 
by  Rule  D  A'  on  1,2 


No  other  cases  apply. 


□ 
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Proof  of  theorem  f.2. 

1.  Suppose  that  rrJ4“n.  Then  by  theorem  G.3(l),  T  =>  A. 

2.  Suppose  that  [rr~n;rrJ4~n  D  af (K)  =4  af (K).  By  theorem  G.3(3),  T  =>•  K  affirms  A. 

□ 
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